DMARC (Domain-based Message Authentication,
Reporting, and Conformance) Extension For PSDs (Public Suffix Domains)
fTLD Registry Services600 13th Street, NW, Suite 400WashingtonDC20005United States of America+1 301 325-5475scott@kitterman.comDMARCemail authenticationTLDDMARC (Domain-based Message Authentication, Reporting, and Conformance)
is a scalable mechanism by which a mail-originating organization can
express domain-level policies and preferences for message validation,
disposition, and reporting, that a mail-receiving organization can use
to improve mail handling. DMARC policies can be applied at the
individual domain level or for a set of domains at the organizational
level. The design of DMARC precludes grouping policies for a set of
domains above the organizational level, such as TLDs (Top Level
Domains). These types of domains (which are not all at the top level
of the DNS tree) can be collectively referred to as Public Suffix
Domains (PSDs). For the subset of PSDs that require DMARC usage, this
memo describes an extension to DMARC to enable DMARC functionality for
such domains.DMARC provides a mechanism for publishing
organizational policy information to email receivers. DMARC allows policy to be specified for both
individual domains and sets of domains within a single organization.
For domains above the organizational level in the DNS tree, policy can
only be published for the exact domain. There is no method available
to such domains to express lower level policy or receive feedback
reporting for sets of domains. This prevents policy application to
non-existent domains and identification of domain abuse in email, which
can be important for brand and consumer protection.
As an example, imagine a country code TLD (ccTLD) which has public
subdomains for government and commercial use (.gov.example and
.com.example). Within the .gov.example public suffix, use of DMARC has been mandated and .gov.example has
published its own DMARC record:
"v=DMARC1;p=reject;rua=mailto:dmarc@dmarc.service.gov.example"
at
_dmarc.gov.example.
This would provide policy and feedback for mail sent from @gov.example,
but not @tax.gov.example and there is no way to publish an
organizational level policy that would do so. While, in theory,
receivers could reject mail from non-existent domains, not all
receivers do so. Non-existence of the sending domain can be a factor
in a mail delivery decision, but is not generally treated as definitive
on its own.
This memo provides a simple extension to DMARC
to allow operators of Public Suffix Domains (PSDs) to express
policy for groups of subdomains, extends the
DMARC policy query functionality to detect and process such a
policy, describes receiver feedback for such policies, and provides
controls to mitigate potential privacy considerations associated with
this extension.
There are two types of Public Suffix Operators (PSOs) for which this
extension would be useful and appropriate:
Branded PSDs (e.g., ".google"): These domains are
effectively Organizational Domains as discussed in DMARC. They control all
subdomains of the tree. These are effectively private
domains, but listed in the Public Suffix List. They are
treated as Public for DMARC
purposes. They require the same protections as DMARC Organizational Domains, but
are currently excluded.
Multi-organization PSDs that require DMARC usage (e.g.,
".bank"): Because existing Organizational Domains using
this PSD have their own DMARC policy, the applicability of
this extension is for non-existent domains. The extension
allows the brand protection benefits of DMARC to extend to the entire PSD,
including cousin domains of registered organizations.
Due to the design of DMARC and the nature
of the Internet email architecture, there
are interoperability issues associated with
DMARC deployment. These are discussed in
Interoperability Issues between DMARC and Indirect Email Flows.
These issues are not applicable to PSDs, since they (e.g., the
".gov.example" used above) do not send mail.
DMARC, by design, does not support
usage by PSOs. For PSDs that require use of DMARC, an extension of DMARC reporting and
enforcement capability is needed for PSO to effectively manage and
monitor implementation of PSD requirements.
This section defines terms used in the rest of the document.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 when, and only when, they appear in all
capitals, as shown here.
The global Internet Domain Name System (DNS) is documented in
numerous Requests for Comment (RFC). It defines a tree of names
starting with root, ".", immediately below which are Top Level
Domain names such as ".com" and ".us". They are not available
for private registration. In many cases the public portion of
the DNS tree is more than one level deep. PSD DMARC includes all
public domains above the organizational level in the tree, e.g.,
".gov.uk".
Organizational Domain (DMARC Section
3.2) with one label removed.
A Public Suffix Operator manages operations within their PSD.
PSO Controlled Domain Names are names in the DNS that are
managed by a PSO and are not available for use as Organizational
Domains (the term Organizational Domains is defined in DMARC Section 3.2). Depending on PSD policy, these
will have one (e.g., ".com") or more (e.g., ".co.uk") name
components.
For DMARC purposes, a non-existent
domain is a domain name that publishes none of A, AAAA, or MX
records that the receiver is willing to accept. This is a
broader definition than that in NXDOMAIN.
This document updates DMARC as follows:References to "Domain Owners" also apply to PSOs.PSD DMARC records are published as a subdomain of the PSD. For the
PSD ".example", the PSO would post DMARC policy in a TXT
record at "_dmarc.example".
In addition to the DMARC domain owner
actions, PSOs that require use of DMARC ought to make that
information available to receivers.
A new step between step 3 and 4 is added:If the set is now empty and the longest PSD of the Organizational
Domain is one that the receiver has determined is acceptable
for PSD DMARC, the Mail Receiver MUST query the DNS for a
DMARC TXT record at the DNS domain matching the longest PSD in place of the RFC5322.From
domain in the message (if different). A possibly empty set
of records is returned.
As an example, for a message with the Organizational Domain of
"example.compute.cloudcompany.com.cctld", the query for PSD DMARC
would use "compute.cloudcompany.com.cctld" as the longest PSD. The receiver would check to see
if that PSD is listed in the DMARC PSD Registry, and if so, perform
the policy lookup at "_dmarc.compute.cloudcompany.com.cctld".
Note: Because the PSD policy query comes after the Organizational
Domain policy query, PSD policy is not used for Organizational
domains that have published a DMARC
policy. Specifically, this is not a mechanism to provide
feedback addresses (RUA/RUF) when an Organizational Domain has
declined to do so.
Operational note for PSD DMARC: For PSOs, feedback for non-existent
domains is desired and useful. See for
discussion of Privacy Considerations.
These privacy considerations are developed based on the requiremetns of
. The Privacy Considerations of apply to this document.
Providing feedback reporting to PSOs can, in some cases, create
leakage of information outside of an organization to the PSO.
This leakage could be potentially be utilized as part of a program
of pervasive surveillance (See ). There
are roughly three cases to consider:
Single Organization PSDs (e.g., ".google"), RUA and RUF
reports based on PSD DMARC have the potential to contain
information about emails related to entities managed by
the organization. Since both the PSO and the
Organizational Domain owners are common, there is no
additional privacy risk for either normal or non-existent
Domain reporting due to PSD DMARC.
Multi-organization PSDs that require DMARC usage (e.g.,
".bank"): PSD DMARC based reports will only be generated
for domains that do not publish a DMARC policy at the
organizational or host level. For domains that do publish
the required DMARC policy records, the feedback reporting
addresses (RUA and RUF) of the organization (or hosts)
will be used. The only direct feedback leakage risk for
these PSDs are for Organizational Domains that are out of
compliance with PSD policy. Data on non-existent cousin
domains would be sent to the PSO.
Multi-organization PSDs (e.g., ".com") that do not mandate
DMARC usage. Privacy risks for Organizational Domains
that have not deployed DMARC within such PSDs are
significant. For non-DMARC Organizational Domains, all
DMARC feedback will be directed to the PSO. PSD DMARC is
opt-out (by publishing a DMARC record at the
Organizational Domain level) vice opt-in, which would be
the more desirable characteristic.
PSOs will receive feedback on non-existent domains, which may be
similar to existing Organizational Domains. Feedback related to
such cousin domains have a small risk of carrying information
related to an actual Organizational Domain. To minimize this
potential concern, PSD DMARC feedback is best limited to
Aggregate Reports. Feedback Reports carry more detailed
information and present a greater risk.
Due to the inherent Privacy and Security risks associated with
PSD DMARC for Organizational Domains in multi-organization PSDs
that do not particpate in DMARC, any Feedback Reporting related to
multi-organizational PSDs ought to be limited to non-existent
domains except in cases where the reporter knows that PSO
requires use of DMARC.
This document does not change the Security Considerations of
and .
The risks of the issues identified in ,
Section 12.5, External Reporting Addresses, are amplified by PSD
DMARC. By design, PSD DMARC causes unrequested reporting of feedback
to entities external to the Organizational Domain. This is discussed
in more detail in .
This document does not require any IANA actions. TBS